Blackhole Exploit Kit Spam Campaigns Disguised as Top Service Brands

Spam campaigns based on the Blackhole Exploit Kit send messages that contain links to compromised legitimate websites, which serve hidden iframes and redirections that exploit vulnerabilities across operating systems–from Android to Windows. Spam themes we have seen vary rapidly and are disguised to appear as legitimate messages from familiar services. Campaigns spoofing Facebook, LinkedIn, American Airlines, and various banking services carry embedded links to malware. Spammers abuse email templates from familiar service providers by capturing automated emails, replacing links in the template with links to malware, and rebroadcasting those messages to harvested or predicted recipients.

This tactic has proven effective for spammers. Recipients are likely to click links in familiar-looking emails and often create custom whitelist entries for common sending domains without enforcing Sender Policy Framework or DomainKeys Identified Mail validation.

The Messaging Security Team at McAfee Labs has closely monitored this trend and would like to share a few common traits from recent campaigns to aid in identification:

  • Messages are disguised to appear as legitimate mails from well-known service providers
  • Subject lines are very catchy and similar to those of any service provider

Subject line examples:

  • Your Verizon wireless bill
  • Pending Wire Transfer Notification – Ref: 15192
  • TrustKeeper Network Scan Information
  • BBC-Email: USA government decided to follow Cyprus and rise deposit taxes!!!
  • [FIRSTNAME LASTNAME] left you a comment…
  • Your order # ID[Random digits] has been completed

Other features:

  • URL paths commonly end in …/random_word.html or …/random_word.php
  • Spammers recycle templates across campaigns. These emails could have embedded links to malware or attached .zip/executable files.
  • Unsubscribe links are typically missing or replaced with malicious links

Blackhole Spam Samples

Fake wire-transfer campaign:


Fake LinkedIn campaign:


Fake Facebook campaign:



You will notice all of these samples have fake .html or .php links, which are highlighted in red in the foregoing samples. These are the links carrying payloads that we need to be aware off.

The bad guys will use many techniques to deliver their spam; social engineering is a reality. Messaging Security advises caution when clicking links in emails: hover first! Employ multiple layers of defense in your environment–from email defense to web security to antimalware, and keep those definitions up to date!

Mike Walker has Joined Hewlett-Packard

Mike The Archtiect Blog: Mike Walker has Joined Hewlett-Packard Some of you may already know from my LinkedIn profile that I have joined Hewlett-Packard (HP) in the Software Division as an Strategy and Enterprise Architecture Advisor.

As I was evaluating HP I didn’t fully appreciate HP’s status in the world of IT. I suppose I just thought of some of the acquisitions and the printer on my desk. It was fascinating to research this historic company and see where they are today.

Below are a few eye opening stats that changed my view and perceptions:

Once I did my research and joined I decided to take a stop by the historic HP garage where it all started for Silicon Valley or commonly referred to as the "Birthplace of Silicon Valley".

Mike The Architect Blog: Mike Walker HP Garage Palo Alto

Back to what I’m doing for HP

As most of you may know, I have served in an advisory capacity for some time so the advisor role is a very familiar role for me. When at Microsoft this was a key component to my role. Likewise at HP, I will be an advisor to HP’s top customers. What is interesting about this role is that it isn’t a consulting (billable) type of engagement and there are no quotas that are measured on sales of products or services. This was done very deliberately so that it drove incentives of the enterprise architects to have a business driven and product neutral conversation with customers. HP saw from some high technology vendors with similar offerings that the enterprise architects became more product / solution architects that used the EA vocabulary.

My role as an Enterprise Architecture and Strategy Advisor is broken up into thirds:

  1. Strategy and Enterprise Architecture Advisor – A wide range of activities happen here. From ad-hoc engagements that last a half day to workshops that last multiple days such as strategic discussions, strategy and architecture review,  business capability analysis, architecture design session, enterprise blueprinting review or an EA health check.
  2. Enterprise Architecture Community Development – I will continue with blogging, whitepapers, speaking engagements and increased involvement into standards bodies. I will continue to provide thought leadership into the TOGAF standard along with getting plugged into other areas that are impactful to enterprise architects. You may even see a architect community spring up as well.
  3. Provide the Voice of the Customer Back to HP – A very smart move on HP’s part is this aspect to the role in which brings all the insights from the previous two areas back into the HP machine. This could range from simple process improvement to insights into market trends to product challenges.


Well that’s it on that front. If you have any questions don’t hesitate to comment or send me an email.

Scams Exploiting Boston Marathon Explosion

Original release date: April 17, 2013 | Last revised: April 18, 2013

Malicious actors are exploiting the April 15 explosions at the Boston Marathon in attempts to collect money intended for charities and to spread malicious code. Fake websites and social networking accounts have been set up to take advantage of those interested in learning more details about the explosions or looking to contribute to fundraising efforts.              

For example, the Twitter account @_BostonMarathon was created shortly after the explosions took place. The account stated it would donate $1 for each retweet and was crafted to closely resemble the legitimate Boston Marathon Twitter account (@BostonMarathon). This account has since been suspended by Twitter; however, the likelihood that similar social media accounts will surface remains high.

Phishing email campaigns are also circulating using subject lines related to the Boston Marathon explosions. Do not open unexpected attachments or click on links in suspicious emails, even if the email appears to be from someone you know.

US-CERT recommends that all persons interested in donating funds should go directly to established charities. Exercise caution when interacting with social media accounts that claim to represent the best interests of those involved in the incident, and directly visit established news sources rather than conducting general search engine queries, as it can be difficult to tell which search results may lead to scam sites.

This product is provided subject to this Notification and this Privacy & Use policy.

Large Scale Botnet Brute Force Password Cracking Against WordPress Sites

There have always been a lot of brute force attempts/bot scans and hacking attempts on WordPress hosted sites (due to flaws in the core and a multitude of insecure plugins) – this site being no exception (they’ve even done some minor damage before). But things appear to have really ramped up recently with a large [...] The post Large...

Read the full post at